Published 5:10 am, Friday, August 29, 2014

A security flaw has been discovered in popular gay dating app Grindr that reveals the exact location of every user with location services enabled.

In a post on note site PasteBin, an anonymous user explains how Grindr can be used to triangulate user locations using simple, unauthenticated calls to Grindr's application programming interface API calls. (An API is the access point that software developers use to link their apps and services to another app, in this case Grindr.) Using this exploit, another anonymous internet user went on to create a map that displays the names, photos and locations of all Grindr users with location services enabled.

That flaw potentially lets men using Grindr become targets for gaybashing.

In a 2013 press release, Grindr claimed that over 90% of its users have location services enabled, meaning that almost every user of the app will have their location viewable on this map. The app is intended to let people see how far away you are but not your exact location. You can arrange meetings only by messaging the people who appear to be near you.

Here's a map of users in Malta:

The same PasteBin note also details how it's possible to spoof the app's messaging system and impersonate any user on the site, a serious flaw that Grindr has struggled to fix in the past.

Here is a screenshot showing the location of Grindr users in Chicago:

The original PasteBin note claims that Grindr was informed of the exploit "several times within the past months." But in a statement to Business Insider, Grindr dismissed the safety concerns, remarking "We don’t view this as a security flaw. As part of the Grindr service, users rely on sharing location information with other users as core functionality of the application and Grindr users can control how this information is displayed. For Grindr users concerned about showing their proximity, we make it very easy for them to remove this option and we encourage them to disable ‘show distance’ in their privacy settings. As always, our user security is our top priority and we do our best to keep our Grindr community secure."

Despite downplaying the security concerns, after this article was published Grindr sent out an alert to all users, warning them that they may wish to hide their location.

This video shows how the map can be used, and why it might be dangerous to gay men who do not know their location is visible:

Grindr's API doesn't require authentication or developer keys to access, and so anyone can query the app to find the 50 nearest users, as well as their distance from any specific location. It's then possible to send two more queries from different locations, and triangulate the exact location of every user who has enabled location services.

Using the Grindr exploit, it's possible to view the locations, photos and names of Grindr users in countries like Iran and Russia, where being openly homosexual is often dangerous. America Blog was able to discover nearly 200 Grindr users in Iran using the method outlined above. Homosexuality is illegal in Iran, and it's estimated that the country has executed between 4,000 and 6,000 gay people since 1979. In Russia, homosexuality is legal, although gay men and women are often the target of hate crimes and violence.

Launched in 2012, Grindr pioneered the kind of location-based dating that Tinder went on to bring into the mainstream. Users can create profiles, and view other people near them sorted by their proximity. But the app has often found itself the subject of security scandals. In 2012 it was revealed that Grindr's API can be used to log in as any user, send messages and photos, and view passwords. Grindr later claimed to have fixed the vulnerability, although a report from the University of Amsterdam revealed widespread security issues due to the app's open API.